Thứ Bảy, 31 tháng 12, 2011

I know it's not 2012 everywhere yet, but it is here, so happy new year everyone!.2011 has been an exceptionally strange, and sometimes downright frustrating year, and I doubt 2012 will be any different as I don't forsee some of the hosting companies/registrars attitudes changing, nor do I see ICANN or Ripe/Arin et al, getting off their backside and doing their damn job for a change.However, 2011

Thứ Sáu, 30 tháng 12, 2011

The hpHOSTS Hosts file has been updated. There is now a total of 230,392 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 29/12/2011 00:15Last Verified: 28/12/2011 22:33Download hpHosts now!http://hosts-file.net/?s=Download

Thứ Tư, 28 tháng 12, 2011

Due to technical problems, the hpHosts server including the site and forums, will be down for a few hours.My apologies for any inconvenience.

Thứ Tư, 21 tháng 12, 2011

Ransomware, the practice of providing fake notifications that “you’re infected” and then selling a fake solution that removes the fake malware they just installed, has been a boon for scammers. Now, they’re taking it a step farther, and throwing in a law enforcement scare.This time, an official-looking banner pops up, purporting to be from various law enforcement agencies, localized by region,

Thứ Sáu, 9 tháng 12, 2011

I am assisting a friend at present, with an issue involving IPs constantly attacking his servers, and noted during one of his recent updates, that alot of them were HostNOC - turns out, there's quite the list of them (ignoring the others from known criminal networks). All are RFI etc, and all are already being blocked by ZBBlock (a script written by my friend Zaphod).The problem here, is HostNOCs
This one came in whilst I was asleep, no JS MITMs this time, just the link in the e-mail that uses a meta refresh to redirect you to the domain housing the Blackhole exploit itself;Hello,Shipping ConfirmationOrder # 651-5411744-0155168 Your estimated delivery date is:Tuesday, December 13, 2011Track your package

Thứ Năm, 8 tháng 12, 2011

This one came in an e-mail claiming to be from Facebook, with the usual social engineering rubbish;facebook Hi,You haven't been back to Facebook recently.You have received notifications while you were gone. 1 message
This little chap arrived in my spam box today, and almost got over-looked (I was checking the newest e-mails leading to the Blackhole exploit (one of which, couldn't decide if it was from LinkedIn or the FDIC)), and not surprisingly, is fake.The Payload, all 593KB of it, infects the unwitting victim with the SpyEye trojan. VT detection is utterly rubbish of course - only 2 vendors detecting

Thứ Hai, 5 tháng 12, 2011

I received a comment to the 2009 blog. This one houses a variation of the MO used that I outlined in part 1 (was not going to be a part 2, but it's got a few changes that warranted it).The MO in this case, is;1. Site A2. ExploitThere's no MITMs this time. There's also a slight change in the code used on the exploit page itself, though curiously, it's even easier to decode than the last one (only
For those wondering and not yet aware. The latest incarnations coming via e-mail have changed MO - the link to the exploit itself, isn't directly in the e-mail anymore. Instead, it goes via;1. Site A2. 4 x MITMs5. Exploit siteIn this case;cadcamengineers.com/6ebc21/index.html-> napaul.com/statcounters.js-> proplastics.rs/statcounters.js-> rodns.eu/statcounters.js-> sashandbow.com.au/

Thứ Tư, 30 tháng 11, 2011

Having been blogging this topic for quite a while, I figure this might be a good time to highlight some of the snippets of information that people have posted on some of those blogs (anonymized, of course). You might also be interested in a resource page I've started here at AVIEN.One prospective victim instructed to connect via the Run window to www.support.me. This turns out to belong to

Thứ Hai, 21 tháng 11, 2011

The hpHOSTS Hosts file has been updated. There is now a total of 216,044 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 21/11/2011 18:30Last Verified: 21/11/2011 19:00Download hpHosts now!http://hosts-file.net/?s=Download

Thứ Ba, 15 tháng 11, 2011

I thought I'd made this clear, but apparently not. I got an e-mail earlier, from a RoadRunner IP (residential US ISP), using an @up-yours.com address.There's two problems here however;1. It's an invalid address, so can't reply2. The e-mail houses a childish threat, without actually telling me what I did to deserve it*********************************************************************General*****

Chủ Nhật, 13 tháng 11, 2011

According to a post at my favorite news site, it looks like Lavasoft' new owners are the infamous chaps behind the well known "Interactive Brands". Should've seen this coming really, given they de-listed the well known malware player, WhenU, some time ago - I know that was 6 years ago, but it can't just be a coincidence, especially given who the new owners are.Anti-spyware company Lavasoft AB is

Thứ Sáu, 11 tháng 11, 2011

You may remember, in September I blogged about Internet.BS, well known as a bulletproof provider for domain registrations.Sadly, neither Verisign nor ICANN have done anything, and Internet.bs are still refusing reports (I say refusing because whilst the error is a 450, they were notified months ago and it's still producing the same error, preventing reports going through), courtesy of the Gmail

Thứ Tư, 9 tháng 11, 2011

Following an article I wrote recently for SC Magazine, Martijn Grooten of Virus Bulletin, who shares my interest in and dislike of support desk scams, contacted me about the web site associated with eFIX, a company claiming to offer online technical support. He and I, along with Steven Burn, who has a great deal of experience of working in this area, have been able to dig out some interesting

Thứ Ba, 1 tháng 11, 2011

Look at the image on the left. See anything that shouldn't be there?I'll give you a hint - it's got a black background.I identified this whilst doing a routine enquiry on an IP housing a plethora of fake meds sites. I dropped a note to the sites owner and registrar, who informed me it most definitely should NOT be there.The content in question, is;

Thứ Ba, 18 tháng 10, 2011

I received 4 spam e-mails earlier that housed 4 links pointing to zip files on 4 sites housed on rZone.de (Cronon) IP space - all of the files contain trojans - more on that later.As I normally do, I tried dropping the address listed in the net-block info an e-mail (cmueller@cronon.net and abuse@cronon.net), sadly it seems they don't want to receive abuse reports;Mail delivery to the following

Thứ Hai, 10 tháng 10, 2011

From my friend Conrad;The following IPs are related to the TDL/TDSS rootkit. 212.36.9.52 / gic-kbmtu0zkvwylf.com appears to be a C&C server. 94.63.149.1094.63.149.1194.63.149.1294.63.149.1394.63.149.1494.63.149.15146.185.250.140146.185.250.141195.3.145.251195.3.145.252195.3.145.253212.36.9.5294.63.149.0/24 is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no

Thứ Bảy, 8 tháng 10, 2011

microsoft-key.com was registered through the well known criminal friendly, BIZCN on October 7th (key-microsoft.com existed previously, same IP range), and not surprisingly, is up to no good. The domain is presently only in German for some reason (auto-redirs to /de-DE/, and no other language dirs seem to exist).A translation via Google, since I don't speak German, shows;Welcome to the Microsoft

Thứ Tư, 5 tháng 10, 2011

Apple have announced the death of Steve Jobs, former CEO of Apple.http://www.apple.com/stevejobs/You can bet your life that the blackhat SEO gangs will be on to this like a rash in the next few hours, so please be extra careful out there.

Thứ Năm, 29 tháng 9, 2011

Sorry for the delay folks.The hpHOSTS Hosts file has been updated. There is now a total of 222,922 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 29/09/2011 18:00Last Verified: 29/09/2011 01:00Download hpHosts now!http://hosts-file.net/?s=Download

Thứ Tư, 28 tháng 9, 2011

Q. How do you tell when a registrar is generating alot of abuse reports?A. When you receive failure messages such as;This is the mail system at host us.internet.bs.I'm sorry to have to inform you that your message could notbe delivered to one or more recipients. It's attached below.For further assistance, please send mail to postmaster.If you do so, please include this problem report. You

Thứ Ba, 27 tháng 9, 2011

Executive SummaryMicrosoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS

Thứ Tư, 21 tháng 9, 2011

About bleedin time too.One of Microsoft's Gold Partners has had its relationship with the software giant unceremoniously terminated, after being revealed to be orchestrating a telephone support scam.Comantra, based in India, are said to have cold-called computer users in the UK, Australia, Canada and elsewhere, claiming to offer assistance in cleaning up virus infections.The bogus support calls

Thứ Bảy, 17 tháng 9, 2011

I was sent a URL earlier, that redirected to fake meds (surprise surprise). Checking further however, I arrived at the sites homepage to discover two scripts being loaded, one from a site that has now been cleaned, and another loaded from 70.85.43.147, that is still there;70.85.43.147/minitools.jsTrying a quick check, Malzilla, JSUnpack etc failed to decode it, so I figured I'd wait until I had a

Thứ Sáu, 16 tháng 9, 2011

Not surprisingly, when the bad guys get a foot in, they take full advantage, and that's exactly what they're doing over at Formspring.me. Having started a campaign, and Formspring seemingly doing nothing to prevent it, the surge is continuing, with new ones being created every day so far.Thanks to someone that used to work for them, those that were reported to him, have been taken care of, but

Thứ Hai, 12 tháng 9, 2011

Date: 13-09-2011* Modified LogSpammerToDB (with thanks to Jay Riley, jayriley.com)+ Added blocklist.deDownload:http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtoolLive example:http://temerc.com/Check_Spammers/http://fspamlist.com/checkspammers/

Thứ Sáu, 9 tháng 9, 2011

Seems there's somewhat of a surge of abuse over at formspring.com lately, same kind of abuse seen previously on similar providers.The following, all leading to varying locations, are currently active, and have been reported to the upstream, since Formspring don't want to publicize an abuse contact (CC'd the report to the address listed in the WhoIs for formspring' parent company).hxxp://

Thứ Ba, 6 tháng 9, 2011

New domains today, still only 71 unique MD5s, and all domains living at;IP: 69.64.72.123PTR: 69-64-72-123.dedicated.codero.netNS: *.dns-diy.netAS: 10316 69.64.64.0/19 CODERO-AS - CoderoSame registrar as all of the rest;Registrant: Frank Jorney / jormwyuh4@hotmail.comRegistrar: ONLINENIC, INC367u3hsl.com/files/18367u3hsl.com/files/19367u3hsl.com/files/23367u3hsl.com/files/24367u3hsl.com/files/

Thứ Bảy, 3 tháng 9, 2011

Well, yesterday Sinowall was at 108.59.2.213, as of today, there's 2 new domains and a new IP - still the same amount of files, same 71 unique MD5s;

sghlymfsbvf.com/files/18 Trojan.Agent
sghlymfsbvf.com/files/19 Trojan.Agent
sghlymfsbvf.com/files/23 Trojan.Agent
sghlymfsbvf.com/files/24 Trojan.Agent
sghlymfsbvf.com/files/25 Trojan.Agent
sghlymfsbvf.com/files/26 Trojan.Agent
sghlymfsbvf.com/files

Thứ Sáu, 2 tháng 9, 2011

Q. What do you get if you cross 108.59.2.213 with a bunch of newly created domains?

A. Over 600 newly malicious URLs of course!

There's actually only a very small amount of domains, but 91 URLs to each domain, serving a grand total across them all, of 498 files and 71 unique MD5s;

File    MD5    Size
f88deaeb24ee0ae8f783ed61c8508b37    aguyet47td.com\files\17    2.00 KB

Thứ Năm, 1 tháng 9, 2011

co.tv have had quite the history, with a plethora of abuse of their service. They've previously been responsive as far as takedowns, but lately there's been no response, and those reported over the past week, have remained active.

A lot of the domains are pointing to an IP that resolves to parking.co.tv, but this isn't actually a parking server - it is a redirector;

Query: fuqayisi.co.tv

HTTP/

Chủ Nhật, 28 tháng 8, 2011

Certainly took them long enough, but having been the latest service to be bombarded and misused by criminals, it seems at least one of the many heavily abused providers has seen sense and cancelled the option to create a free "domain" through them.

If you've been taking note, you'll have noticed the sheer volume of hostnames created on *.co.tv that have been involved in fake meds and exploits.

Thứ Bảy, 27 tháng 8, 2011

And courtesy of my friend Anthony at MalwareURL (and I'm shamefully admitting to not thinking of checking this myself), here comes another 328 of them;

http://clickmeaa.fileave.com/
http://clickmeab.fileave.com/
http://clickmeac.fileave.com/
http://clickmead.fileave.com/
http://clickmeae.fileave.com/
http://clickmeaf.fileave.com/
http://clickmeag.fileave.com/
http://clickmeah.fileave.com/
http:/
Yet another mass compromise going on recently folks (yep, surprise surprise). This time, the malicious code leads to a URL in the format;

clickme**.fileave.com

Where ** are letters based on the date/time. Yesterday (27th), these were clickmen[a-z].fileave.com, and today these are rather predictably, clickmeo[a-z].fileave.com.

Yesterdays were reported to both Network Solutions, and to FileAve (
I know it's late folks, and my apologies (better late than never?). Sadly the connection has been rubbish lately (I had a second phone and broadband line installed with another provider Wednesday gone and the current line is being re-provisioned, so should hopefully see the issues vanish).

The hpHOSTS Hosts file has been updated. There is now a total of 189,155 listed hostsnames.

If you are NOT

Thứ Năm, 25 tháng 8, 2011

There's another phish doing the rounds lately it seems, this time targetting Windows Live users.

If you've received an e-mail similar to the following, click "Mark As" > "Phishing Scam" and delete it - DO NOT CLICK THE LINK!

Windows-Live - Account ALERT! - *Re-activate your account* (24-Aug)?

Dear (email address),

We are sending you this e-mail because Microsoft SmartScreen Technology has

Thứ Năm, 11 tháng 8, 2011

Something evil on 95.168.177.144: reddingtaxcm.com and inferno.name

reddingtaxcm.com is a legitimate domain that is registered at GoDaddy and has been hijacked to serve up malware, hosted on 95.168.177.144 (NetDirekt, Germany but more below..).

The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.

Thứ Tư, 10 tháng 8, 2011

Few people asked me to join LinkedIn recently, a site I've avoided like all other social networks for as long as I can remember, and I decided "at least it's not Facebook" (who themselves have now decided to get even worse), so popped over. I already know that social networks can't be trusted, they've proven that time and time again, and now it seems LinkedIn are proving it themselves;

A few updates today folks. Firstly, I've published a new hpObserver release. Nothing special, just a couple of bug fixes.

The hpHosts release has also been delayed due to a worse than rubbish connection, drastically slowing down the validation process (almost 24 hours just to run a DNS validation on 3600 domains (only seems to be DNS affected by the slowdown so far)).

I also noted yesterday

Chủ Nhật, 7 tháng 8, 2011

Version: 0.6.4Added: List ASN associated with IP. Fixed: IP formatting when saving to text and there's more than one IP Downloadhttp://support.it-mate.co.uk/?mode=Products&act=DL&p=hpobserver

Thứ Tư, 3 tháng 8, 2011

Just a warning folks, there's a replacement for the now suspended rulesbreacker.com/wsumg.com botnet, and it's mstdpro.com. Resolving to residential IPs and serving exploits and a trojan through URLs such as;mstdpro.com/mydata/forms/apisrv.phpmstdpro.com/appserver/mstdpro.com/efs/servlet/military/login.jspmstdpro.com/app/bps/main/mstdpro.com/arc/files/mstdpro.com/arc/files/archivo.exemstdpro.com/

Thứ Bảy, 30 tháng 7, 2011

Love Top Gear? I do to, can't wait for Sundays and Wednesdays, and tend to watch it on Dave through the week (seen them all hundreds of times since they're repeated around 5 times a day, but bah, there's normally nothing else on anyway). However, if you're searching for Top Gear episodes (thought everyone knew the official URL (http://bbc.co.uk/topgear), but obviously not), then you may find

Thứ Ba, 26 tháng 7, 2011

There's lots been written on security for your machines and networks, be it routers, PCs, laptops, netbooks, iPads, Androids and Blackberrys and the likes - but all the security in the world isn't going to help you if these actually get stolen, either through a break-in or pick pocketing or the likes.Are you prepared for this? Could you tell the police how to identify and track your items, should

Chủ Nhật, 24 tháng 7, 2011

The chaps behind Renos are on the move again as of today, this time to Russia based, Eurobyte Llc (AS35415), or best known, as a customer of Webazilla. Both known bulletproof hosting.New domain as of 30 mins ago, is through UK2 (surprise surprise), though there's been one prior to that, through DirectI (suspended a few mins after being reported);fileyourextension.net/New-Video-Addon.48560.exeIP:

Thứ Sáu, 22 tháng 7, 2011

I phoned HostNOC/Burst around an hour ago, regarding an IP that had been serving Renos for a while, and stayed on the phone until it was suspended. Expecting them to move to a new IP rather quickly, but sadly had to pop to the shops. Getting back however, I wasn't to be disappointed. The chaps behind Renos (still don't know who that is, but am working on it), had moved to a new IP yet again,

Thứ Ba, 19 tháng 7, 2011

I love predictability, makes my job much easier (well, as far as these chaps are concerned anyway). 3 IPs as of today, same registrars (surprise surprise);UK2DirectINetEarthOne of the IPs is the same as yesterday (errr Burst.net/HostNOC - what happened to your 24 hour warning?).66.197.187.152 immovable.detectstakes.com AS21788 66.197.128.0/17 NOC - Network Operations Center Inc.193.105.171.120

Thứ Hai, 18 tháng 7, 2011

Well, I said it would happen and it has - my friends at Leaseweb finally nulled the server housing Renos, and as with their previous pattern - they're back to HostNOC/Burst.They're now using 66.197.187.152 (latest domain: worldmediaplugins.org), same registrars and infection, so nothing else to report I'm afraid. As far as UK2 and DomainContext, the latter is still failing to reply, and I'm

Thứ Sáu, 15 tháng 7, 2011

Looks like they're on the move to a new host, this time it's Leaseweb (Rob and Jottie will hopefully be getting it down shortly, so they shouldn't be there long). As of a few minutes ago, the latest Renos domain is pointing to;82.192.79.49The URL;makepan.in/New-Video-Addon.48563.exeReferencesPart 5a: Interserver, malware, and the Scottish weatherhttp://hphosts.blogspot.com/2011/06/part-5-

Thứ Năm, 14 tháng 7, 2011

Facebook worms are nothing new, having been documented as far back as 2008, but after a tip from a friend, I dipped into the DNS records for a couple of IPs, and plucked out this lovely lot. All of which appear involved in the same Facebook worm/phish that others have blogged about;10gambling.com11likes.info12v-dc-motor.motorsforsales.us2003-microsoft.officediscount.us2010-

Thứ Ba, 12 tháng 7, 2011

I've not worked out their obsession with HostNOC yet, but so far, the only two hosting companies they're flitting between, are CoolVDS (AS50669, well known to be criminal friendly) having until a few hours ago, been housed at 193.105.171.226 since their last stint on HostNOC (184.22.253.11) until July 7th.You'll no doubt not be surprised to hear, other than their flitting between the two hosts,

Thứ Tư, 6 tháng 7, 2011

64.120.151.73 was first reported to HostNOC/Burst, on July 2nd, both via e-mail and via telephone. When speaking to them on the phone, I was advised they'd give the customer a 24 hour warning.Watching the new domains popping up each day, I continued to send them reports, and resorted to a second phone call last week (Sunday if memory serves), to be told yet again, they'd give the customer a 24

Thứ Bảy, 2 tháng 7, 2011

This was never intended to be multipart, but I figured after part 1, I may as well do the other IPs they're using. As it happens, one of the other IP ranges they've got is through AS56927.The /24 in question, similar to the previous one, is 188.229.97.0/24. What's curious here, is that AS records show something interesting - an invisible link (AS52366 that AS records says doesn't exist. If we

Thứ Sáu, 1 tháng 7, 2011

Just a note folks, the network housing the likes of fspamlist.com, mysteryfcm.co.uk and the Abelhadigital.com forums, will be down for around 2 hours tomorrow, to allow for maintenance. The exact time hasn't been finalized yet, but is expected to be between 15:00-17:00.Sites affected:*.mysteryfcm.co.uk*.
The hpHOSTS Hosts file has been updated. There is now a total of 154,282 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 01/06/2011 17:00Last Verified: 01/06/2011 12:00Download hpHosts now!http://hosts-file.net/?s=Download

Thứ Tư, 29 tháng 6, 2011

What do you do when you need lots of IPs to house your fake meds and other criminal sites? Use botnets? compromised sites/servers? That's certainly what the bad guys involved in exploits, malware and other badness like to do.Of course, another favourite of the bad guys, is to set up their own ASNs, complete with batches of IPs and IP ranges, to house their criminal activities. This is exactly

Thứ Ba, 28 tháng 6, 2011

If you've not already done so, you'll want to block 78.111.51.100 asap. It's currently housing a plethora of domains that are serving malware via exploit.Payloads are coming from paths such as;thujkdswg.tld.tc/k.php?f=20&e=3-> about.exe--> 3c6d68ea89512089df0cd7629439c378You'll no doubt notice the usual suspects as far as the ccTLD branches (redirection services serving off of ccTLDs such as .cc)
Looks like HostNOC/Burst, finally pulled their finger out. Over the past 24 hours, they've now moved to a bulletproof host (193.105.171.70, AS50669 COOLVDS-as FOP Kutcevol Maksum Mukolaevich). If you've not already, you may want to consider blackholing the following;91.218.120.0/22193.105.171.0/24Registrars used haven't changed, still using DirectI resellers, DomainContext and UK2. Thankfully,

Thứ Hai, 27 tháng 6, 2011

Ever get the feeling HostNOC/Burst aren't taking this seriously? They took 3 years to boot these guys the first time, and now all they're doing, is jumping across different IPs on the HostNOC/Burst AS.The new IP they're using as of today, 173.212.255.31Filenames occasionally change (new ones: New-Video-Addon.40028.exe, FlashPlayer.40028.exe, old ones produce fake 404s), but the infection

Thứ Năm, 23 tháng 6, 2011

Opinion A recent newspaper investigation uncovered evidence that companies are paying agencies to create false online reviews for their services. But what those companies may not realise is that this is illegal and could ruin their businesses.The practice is called astroturfing, because it fakes grass-roots support, and it is not only ethically questionable, it is illegal. And if the law doesn't

Thứ Tư, 22 tháng 6, 2011

Well that didn't take them long. They're back to .in domains, and have moved to the well known SwiftWay (AS35017).New payload URL;rhyzilch.in/FlashPlayer.40028.exeIP: 46.21.159.228PTR: 228.159.21.46.inferno.nameMD5: 42a61ad4f894d9d21434cc5d5819aaefThis /24 of course, as with all SwiftWay ranges, is no stranger to malicious content, having hosted everything from fake AVs to trojans, and even fake
Well, the bad guys tried fooling everyone by changing the filename yet again (sorry Mr Bad Guy - we're not that stupid).You'll remember that they were using HostNOC as of the latest incarnations, and I both e-mailed, and phoned HostNOC on the 20th, the day the move was made, and the person I spoke to advised me they were giving the customer a 24 hour warning. 3 days later, and it was still online
The move to the new server has now completed. DNS propogation should be complete for most, but if you're still seeing the old 208. address, please refresh your DNS cache.Please let me know if you notice any problems.
Tip: don't get your hair stuck in the car window when closing it - it hurts like hell!Just a note folks, the hpHosts website and forums, are in the process of being moved to a new server, so will be down for around an hour or so.My apologies for any inconvenience.

Chủ Nhật, 19 tháng 6, 2011

Not surprisingly, since my last post, they've switched the latest ones back to HostNOC/Burst.Net (same company that took 3 years to boot them last time). Registrars are primarily DirectI and UK2 (who don't seem to be replying ....). DirectI have been shutting down those I've found, within 30 mins of their being reported.I've likely missed quite a few since my sleeping meds knocked me out for a

Thứ Năm, 16 tháng 6, 2011

They say, if you don't like the Scottish weather, wait 20 mins. That's all I've got on that one.In the last few weeks alone, 2 specific IPs have racked up a count of over 2000 malicious domains, most through just a handful of registrars (all those through DirectI have been suspended within around 20 mins on average, of being discovered, with DirectI suspending several thousand more related

Chủ Nhật, 12 tháng 6, 2011

I get a few of these, and they always make me laugh. Seems some people don't bother reading or researching, what hpHosts actually is, before e-mailing me.Name: HugoE-mail: {REMOVED}How did you find us?: Other... Other: Not providedSite navigation: Very easyComments: Please add my site to your database. I've removed his e-mail address to save him some embarrassment, but little hint to those of you

Thứ Tư, 1 tháng 6, 2011

For web applications to spring even farther ahead of traditional software, our teams need to make use of new capabilities available in modern browsers. For example, desktop notifications for Gmail and drag-and-drop file upload in Google Docs require advanced browsers that support HTML5. Older browsers just don’t have the chops to provide you with the same high-quality experience.For this reason,

Thứ Năm, 26 tháng 5, 2011

Seems the bad guys don't believe we actually check sites/files we're coming across anymore, only that we look for a specific filename. I've been monitoring a couple sites leading to trojans, and having the domains shut down. Over the past few days (approx the 20th), they've disabled the specific filename the malicious code points to, possibly believing we'll say "okay, it doesn't exist anymore,
Just an FYI folks. To allow my ISP to identify a fault on the line, I've got to take the entire network offline for an hour. This will obviously mean all servers will be unavailable.The network will be taken offline this evening at 19:00 GMT London, and will be back at 20:00 GMT London.Sites affected:*.mysteryfcm.co.uk*.

Thứ Tư, 25 tháng 5, 2011

The hpHOSTS Hosts file has been updated. There is now a total of 149,988 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 25/05/2011 15:30Last Verified: 25/05/2011 01:00Download hpHosts now!http://hosts-file.net/?s=Download

Thứ Ba, 24 tháng 5, 2011

My other half, though in her 20's, is also part of the "share it all" and "it'll never happen to me" generation, despite being as paranoid and insecure as heck about everything (though generally only paranoid about what her friends think, what I think etc, rather than things that actually matter). Drives me up the wall, especially given she should be mature enough to know better.Kids are already
Oh dear, this isn't going to end well (especially given they were involved in the Phorm debacle too);BT reserves, and makes use of, the right to remotely detect all devices connected to LANs owned by its broadband customers – for their own good, of course.BT Broadband customers can expect to have their network checked any time the operator feels it needs to take a peek to help it provide the

Chủ Nhật, 22 tháng 5, 2011

As if you needed telling, but sadly to state the obvious, the scammers traced back to India are still very much involved in defrauding insuspecting victims, and are now apparently going one step further by infecting their machines to boot.In previous iterations of this scam the person on the phone would get you to click through to the event viewer to "find something red". Strangely enough there
My friend and co-admin at MalwareDomainList just alerted me to a site impersonating VirusTotal, for the purposes (surprise surprise) of infecting unwitting victims with both a fake AV and a trojan.I've sent an e-mail to my friend Ross at Dot.tk, to have the .tk domain taken out, and will be getting in touch with the host and registrar, for the site it's pointing to, but in the meantime, you can

Thứ Năm, 12 tháng 5, 2011

Oh I do love good news in the morning. Zango/Pinball need no introduction, everyone is aware of their ongoing shenanigans over the years, and it looks like they're down for the count for now. Or at least, business filings say they are (well all know Zango tried the same hide and seek method, and left a trail that led to the switch to Pinball Corp being discovered relatively quickly).I've said it

Thứ Năm, 5 tháng 5, 2011

Ever wonder why some hosting companies try and send you on a "we're waiting, it's resolved, really we're just the innocent victims here, please be patient" game, that results in your getting frustrated and the criminals staying online even longer?Well, the answer is companies (and I use the term companies loosely in this case) such as Don Servers, which is actually the same "company" as CompLife
hpHOSTS - Updated May 2011The hpHOSTS Hosts file has been updated. There is now a total of 124,448 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 05/05/2011 17:00Last Verified: 05/05/2011 06:00Download hpHosts now!http://hosts-file.net/?s=Download

Thứ Tư, 4 tháng 5, 2011

Hat tip to the guys at the ISC for the heads up (got the Microsoft RSS on the reader but didn't notice this one).We have received notification that Sysinternals has had some updates. One in particular that is a favorite among handlers is Process Explorer. It now includes: Process Explorer v14.11 includes the ability to configure network and disk activity icons in the tray. Check out the
Seems the fake AV gang responsible for these campaigns, have gone from Tucows, back to Instra Corp again. This lot were first created March 24th, and are now being used yet again;

Thứ Năm, 28 tháng 4, 2011

It was bound the happen, after having their IPs killed a few days ago, and I'm actually surprised it took them this long, but alas as of the 28th, there's yet more malicious fake AV domains via Tucows (wonder if Tucows are actually going to put a stop to this?).

Thứ Ba, 26 tháng 4, 2011

Many have been bleating on about securing WiFi pretty much since WiFi was first available to the masses, but many still don't bother securing it, leaving them wide open to abuse at best, and at worst, being prosecuted because someone used YOUR unsecured wireless connection, to download child pornography.A case has been brought to light yet again, of a man prosecuted because a neighbour used his

Chủ Nhật, 24 tháng 4, 2011

I am pleased to report, with the help of my friend William (GoDaddy), every single one of the following, has had their IPs suspended by CaroNet (better late than never). I fully expect them to move to new IPs, but in the meantime, it's ~500 sites less, that can infect its

Thứ Ba, 19 tháng 4, 2011

hpHOSTS - Updated April 2011The hpHOSTS Hosts file has been updated. There is now a total of 122,034 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 20/04/2011 03:00Last Verified: 20/04/2011 01:00Download hpHosts now!http://hosts-file.net/?s=Download

Thứ Tư, 16 tháng 3, 2011

Taking down malicious sites has been part of daily life for years now, and I still love every second of it. Primarily because it annoys the bad guys, but mostly because it means there's less malicious sites (for a second anyway) for people to get infected via.During the years, there's been many changes in the responses from hosting companies and registrars. GoDaddy have become one of the best at

Thứ Ba, 15 tháng 3, 2011

Just a note folks. The hpHosts website and forums will be offline between 20:00 - 21:30 PST for maintenance.That's 06:00 this morning for us in the UK btw ;o)

Thứ Bảy, 12 tháng 3, 2011

Sites such as eBay are extremely useful for finding that wonderful collectable, part or a multitude of other things you've been meaning to and wanting to, buy for yourself.Sadly however, as with many other sites, there are those on these sites, that are doing as much as possible, to part you with your money. There are millions of legit users on there, just like yourself, but don't forget -

Thứ Sáu, 11 tháng 3, 2011

That certainly appears to be the case with a site I came across today. The following, if loaded in a browser, displays what we're used to seeing when a site wants to infect our machine with a fake AV;www(.)sosgt.com/indexm.phpIn this case however, we're given a purchase page.Clicking to proceed to the checkout, takes us to;hxxps://secureonlinestore.net/secureorder/orders.phpIncase you're

Thứ Tư, 9 tháng 3, 2011

Second verse, same as the first. Same registrar, same registrant, same multi-residential IP setup, same content - same everything.usabbc.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)utgroup.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)waterspa.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126-LRMS)werace.info - Vlad Marks / vladmarks@yahoo.ca eNom, Inc. (R126

Thứ Ba, 8 tháng 3, 2011

Just came across another lovely lot, all created March 7th, all registered using eNom (surprise surprise), all registered to Vlad Marks / vladmarks@yahoo.ca, and all with the same content and MO as the last
Normally I get very annoyed with myself when I miss one of Chris Boyds blogs. This time however, I'm partially glad I did, as otherwise, I may have missed what I've just found.Going over some of the stuff he found, I decided to do a bit more digging, and not only has franebook.com come back to life - the bad guys behind it have gotten themselves some new domains, all associated with a single name

Thứ Bảy, 5 tháng 3, 2011

I guess someone in the general area of Kolkata reads my blog posts. At any rate, after I posted a blog yesterday bemoaning the fact that I had to do my own systems support, I got a phone call from a gentleman with a pronounced accent wanting to help me with my virus problem.It's Raining Men (And Wooden Horses)You didn't know I had a virus problem? Neither did I, but he assured me that I was

Thứ Năm, 3 tháng 3, 2011

Myself and others have been reporting on and following, the telephony based scams which for now, are being traced back to "companies" in Kolkata, India, for quite some time now.I'm sorry to say (but definitely not surprised), these scammers are still targeting people around the world, with reports coming in quite frequently to places such as digitaltoast.co.uk (warning, due to the page size, it

Thứ Ba, 1 tháng 3, 2011

hpHOSTS - Updated March 2011The hpHOSTS Hosts file has been updated. There is now a total of 122,276 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 02/03/2011 00:00Last Verified: 01/03/2011 16:00Download hpHosts now!http://hosts-file.net/?s=Download

Chủ Nhật, 27 tháng 2, 2011

I came across something a few minutes ago that absolutely disgusted me. A ProBoards user reported a fraudulent advert, being advertised through the ProBoards service, and instead of saying thank you - ProBoards abuse dept sent a warning to the USER THAT REPORTED IT, due to a simple NONE ABUSIVE message on the top of the users forums;http://kasha-against-spam.proboards.com/index.cgi?board=kasscams

Thứ Năm, 24 tháng 2, 2011

As if money mules didn't have enough to worry about, what with the risk of not only upsetting those "using" them, but their getting prosecuted for fraud - they've now got to risk not answering a questionnaire correctly and being rejected (the thought of being rejected as a money mule, due to not answering correctly, is simply, hilarious).An MDL user pointed me to a few sites running the ever so

Thứ Ba, 22 tháng 2, 2011

Release: v0.52Date: 22-02-2011* Fixed bug in functions.php* Modified IsValidEmail() function* Changed strpos() calls to substr_count()* Fixed bug in check_spammers_plain.php that resulted in invalid e-mails being allowed+ Added code to check for Bad Result error when querying blacklists* Contains modifications (e.g. re-written isURLOnline() and getURL() functions) and bug fixes with thanks to Dan

Thứ Bảy, 12 tháng 2, 2011

Finally had time for a bit of work on this.Version: 0.51* Fixed bug in check_spammers_plain.php * Misc other fixes + Added drone.abuse.ch + Added zeustracker.abuse.ch + Added spam.abuse.ch + Added httpbl.abuse.chhttp://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Thứ Ba, 8 tháng 2, 2011

hpHOSTS - UPDATED February, 2011The hpHOSTS Hosts file has been updated. There is now a total of 122,245 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 08/02/2011 21:00Last Verified: 08/02/2011 12:00Download hpHosts now!http://hosts-file.net/?s=Download

Thứ Tư, 2 tháng 2, 2011

If x = b, what do we need numbers for?Last time I checked, the Soviet Union didn't exist anymore, yet as we all know, the .su TLDs live on.Random musings are great aren't they? Well not in this case. I've yet to see a .su domain that's actually legit, and this one is no different. The domain in this case, is officialversion.su (also known as officialversion.ru), a domain we're all familiar

Thứ Sáu, 21 tháng 1, 2011

hpHOSTS - UPDATED January 21st, 2011The hpHOSTS Hosts file has been updated. There is now a total of 122,616 listed hostsnames.If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)Latest Updated: 21/01/2011 16:50Last Verified: 21/01/2011 10:00Download hpHosts now!http://hosts-file.net/?s=Download

Thứ Năm, 20 tháng 1, 2011

Due to an issue with my mail server, I am currently experiencing problems sending replies, and receiving new e-mail. I thought I'd pinned down the cause to a queue issue with the server, but apparently not.If you're awaiting a reply from me, please be patient whilst I try and resolve the problem.Please be advised, this issue affects all sites using the server aswell (inclusive of the hpHosts

Thứ Hai, 17 tháng 1, 2011

I've had a reply from Heart Internet, regarding the latest list sent to them (still verifying what's going on about the first few lists);We've identified how it's happened, and we are going to clean the sites very soon.I'd like to point out that they're all the result of compromised personal Windows machines (ie, people's home desktop which have viruses). No machine of Heart Internet's has been

Thứ Bảy, 15 tháng 1, 2011

I was pointed to a site earlier, that provided nothing but links to malicious sites. Presumably the sites sole intention is for search engines to crawl it. What was interesting is it didn't have all of the links on one page - you had to keep refreshing it. Very boring and time consuming, so I wrote a program to do it for me.Refreshing it 1000 times brought a list of over 800 unique sites involved
Remember the attack on other hosting companies by the blackhat SEO gang? Well now they've moved to attacking Heart Internet customers - and they're doing a pretty damn good job of it too.The problem here isn't actually the bad guys so much as it is Heart Internet themselves (and yes, the bad guys are of course the primary problem as they're the ones doing it). Heart Internet have had alot of

Thứ Bảy, 8 tháng 1, 2011

Whilst investigating a site earlier, I stumbled upon a site claiming to be a vanilla porn site. Not surprisingly, it turned out to be slightly more than that.This site offers its victims the usual player you're used to seeing on the likes of YouTube - with a major difference. Instead of the fake codec, or actual video, an HTA is downloaded and executed, that contains;